summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authormorpheus65535 <[email protected]>2023-09-18 11:59:45 -0400
committermorpheus65535 <[email protected]>2023-09-18 11:59:45 -0400
commit17add7fbb3ae1919a40d505470d499d46df9ae6b (patch)
tree608ceb0a69072b72159d4b22232ed03dcd8ac882
parentaa0af3f601bad55294ec241009293c60bbb3dce3 (diff)
downloadbazarr-17add7fbb3ae1919a40d505470d499d46df9ae6b.tar.gz
bazarr-17add7fbb3ae1919a40d505470d499d46df9ae6b.zip
Fixed some code to prevent arbitrary file read and blind SSRF.
-rw-r--r--bazarr/app/ui.py17
1 files changed, 14 insertions, 3 deletions
diff --git a/bazarr/app/ui.py b/bazarr/app/ui.py
index 77708a8c5..85d820bd1 100644
--- a/bazarr/app/ui.py
+++ b/bazarr/app/ui.py
@@ -143,13 +143,22 @@ def movies_images(url):
@check_login
@ui_bp.route('/system/backup/download/<path:filename>', methods=['GET'])
def backup_download(filename):
- return send_file(os.path.join(settings.backup.folder, filename), max_age=0, as_attachment=True)
+ fullpath = os.path.normpath(os.path.join(settings.backup.folder, filename))
+ if not fullpath.startswith(settings.backup.folder):
+ return '', 404
+ else:
+ return send_file(fullpath, max_age=0, as_attachment=True)
@ui_bp.route('/api/swaggerui/static/<path:filename>', methods=['GET'])
def swaggerui_static(filename):
- return send_file(os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx',
- 'static', filename))
+ basepath = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx',
+ 'static')
+ fullpath = os.path.join(basepath, filename)
+ if not fullpath.startswith(basepath):
+ return '', 404
+ else:
+ return send_file(fullpath)
def configured():
@@ -160,6 +169,8 @@ def configured():
@ui_bp.route('/test', methods=['GET'])
@ui_bp.route('/test/<protocol>/<path:url>', methods=['GET'])
def proxy(protocol, url):
+ if protocol.lower not in ['http', 'https']:
+ return dict(status=False, error='Unsupported protocol')
url = protocol + '://' + unquote(url)
params = request.args
try: